automatically strip no-dsa tags by gen-DLA

To: debian-lts@lists.debian.org
Subject: automatically strip no-dsa tags by gen-DLA
From: Brian May <bam@debian.org>
Date: Fri, 15 Nov 2019 17:15:14 +1100
Message-id: <[🔎] 877e41acnh.fsf@silverfish.pri>

In an attempt to complete this TODO item from the wiki:

automatically strip no-dsa tags by gen-DLA
https://wiki.debian.org/LTS/TODO#automatically_strip_no-dsa_tags_by_gen-DLA

This is my very early attempt to modify the CVE parser so that it can
write the results back to the CVE file again. Meaning we can made
deliberate modifications to the data before doing so.

https://salsa.debian.org/snippets/354

Unfortunately in making the required changes, it is no longer compatible
with the previous API. As we need to keep track of all the data in such
away that any modifications are reversible. Which is why I copied the
files completely rather then trying to edit in place. The original
parser makes certain changes that are not reversible and can produce
slightly different results (e.g. different ordering of values, different
white-space, etc).

Currently it produces a file with the following differences (see diff
below), the first two changes are due to twp tab characters being
replaced by spaces (not sure it matters enough to try and fix this...)
and the last was due to deliberate filtering (line 273).

The filtering is currently hard coded, this should be called somehow by
gen-DLA.

Any comments or suggestions?


=== cut ===
--- data/CVE/list	2019-11-12 16:54:16.835792742 +1100
+++ a	2019-11-15 16:51:09.043817845 +1100
@@ -354371,7 +354371,7 @@
 	NOT-FOR-US: Trend Micro Anti-Rootkit Common Module
 CVE-2007-0855 (Stack-based buffer overflow in RARLabs Unrar, as packaged in WinRAR an ...)
 	- rar 1:3.7b1-1 (high; bug #410582)
-	[sarge]	- rar <no-dsa> (Non-free)
+	[sarge] - rar <no-dsa> (Non-free)
 	[etch] - rar <no-dsa> (Non-free)
 	- unrar-nonfree 1:3.7.3-1 (high; bug #410580)
 	[sarge] - unrar-nonfree 1:3.5.2-0.2
@@ -359261,7 +359261,7 @@
 	NOT-FOR-US: BytesFall Explorer (bfExplorer)
 CVE-2006-5718 (Cross-site scripting (XSS) vulnerability in error.php in phpMyAdmin 2. ...)
 	- phpmyadmin 4:2.9.0.3-1 (low; bug #396638)
-	[sarge]	- phpmyadmin <not-affected> (Vulnerable code not present)
+	[sarge] - phpmyadmin <not-affected> (Vulnerable code not present)
 CVE-2006-5717 (Multiple cross-site scripting (XSS) vulnerabilities in Zend Google Dat ...)
 	NOT-FOR-US: Zend Google Data Client Library (ZendGData)
 CVE-2006-5716 (Directory traversal vulnerability in aff_news.php in FreeNews 2.1 allo ...)
@@ -376628,7 +376628,6 @@
 	NOT-FOR-US: Sun Java System Directory Server
 CVE-2005-3268 (yiff server (yiff-server) 2.14.2 on Debian GNU/Linux runs as root and  ...)
 	- yiff 2.14.2-8 (bug #334616; low)
-	[sarge] - yiff <no-dsa> (Only a minor privacy leak)
 CVE-2005-3267 (Integer overflow in Skype client before 1.4.x.84 on Windows, before 1. ...)
 	NOT-FOR-US: Skype
 CVE-2005-3266
=== cut ===


-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: automatically strip no-dsa tags by gen-DLA
  - From: Holger Levsen <holger@layer-acht.org>

Prev by Date: Re: Drop support for libqb?
Next by Date: Re: Drop support for libqb?
Previous by thread: Re: Drop support for libqb?
Next by thread: Re: automatically strip no-dsa tags by gen-DLA
Index(es):
- Date
- Thread